Bug bounty scope gap on highest-TVL contracts

crvUSD (Curve Stablecoin)'s assessment for RD-F-183 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Curve operates a HackerOne bug bounty and self-hosted program with $250K CRV max payout. The $250K CRV payout to f(x) Protocol involved a bug routed through LLAMMA crvUSD/WETH, confirming crvUSD-adjacent systems are in scope. However, HackerOne scope page did not render (JS-rendered SPA), preventing explicit confirmation of crvUSD Controller/LLAMMA contract addresses in the in-scope list. No Immunefi listing exists where scope can be verified via API. Marking yellow: scope likely includes crvUSD but definitive contract-level confirmation unavailable.

Sources #

URL
Curve Bug Bounty Program — HackerOneCurve HackerOne program — scope not renderable via WebFetchretrieved 2026-05-16
Governance
Pay $250k Bug Bounty — Curve Governance ForumCurve governance vote confirming $250K CRV payout for LLAMMA-related bugretrieved 2026-05-16

Methodology #

Determine whether the highest-TVL contracts of this protocol (especially shared primitives: OFT adapters, ZK verifiers, bridge inbox) are explicitly excluded from the protocol's active bug bounty scope.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-183 score yellow collected_at 2026-05-16 19:09:40